Novell Home

My Favorites

Close

Please to see your favorites.

MAG Webserver Health Check using incorrect source IP causing the Web server to be displayed as DOWN

This document (7014116) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 2 applied
Strong network level security enabled only allowing access to specific resource from certain IP addresses

Situation

Access Manager setup and working well. Due to network constraints, the TCP connect settings for the Web server configuration has been configured with 'Make Outbound Connection Using' set to specific IP addresses. The reason for this is that the network is locked down and firewall policies only allow connections from certain IP addresses. With this change in place, all users can access the protected resources on the web servers without any issues.

Despite this, the healthcheck reported in iManager for this working AG shows that many of the Web servers are DOWN. Traces show that the heartbeat requests from the AG to the Web servers are using the primary IP address for the web server healthchecks, that are all being blocked at the Firewall. There is no option to change the source IP address of the outgoing request to be a specific interface for the healthchecks as we do with the 'Make Outbound Connection Using'option above when users access the web server.

Resolution

A defect has been opened with development. In the meantime, iptables can be used to rewrite the outgoing source IP address to workaround the issue.

The following is an example of how to do this:

iptables -t nat -A POSTROUTING -d 10.10.10.10 -s 192.168.1.1 -j SNAT –to-source 192.168.1.9

This rewrites our source address to look like the packets are coming from 192.168.1.9 instead of 192.168.1.1, but only when packets are destine for 10.10.10.10. The above example can be further locked for for specific interfaces (-o eth0), specific TCP ports (-m tcp --dport 80) if needed.


Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014116
  • Creation Date:14-NOV-13
  • Modified Date:14-NOV-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback